Citibank ‘Merchant Billing Statement’ themed emails lead to malware

Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals.

Once executed, the sample drops the following files on the affected hosts:MD5: d41d8cd98f00b204e9800998ecf8427eMD5: 758498d6b275e58e3c83494ad6080ac2MD5: 342b7a0425bb3b671854bc7a4823d378MD5: 2401466fb91045ac970a1dbb1a468783

It then starts listening on port 16985, allowing the cybercriminals behind the campaign to gain complete access to the host.

The sample also creates the following Mutexes:Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}Global\{EE3082BB-B2DA-15DD-11EB-B06D3016937F}Global\{EE3082BB-B2DA-15DD-75EA-B06D5417937F}Global\{EE3082BB-B2DA-15DD-4DE9-B06D6C14937F}Global\{EE3082BB-B2DA-15DD-65E9-B06D4414937F}Global\{EE3082BB-B2DA-15DD-89E9-B06DA814937F}Global\{EE3082BB-B2DA-15DD-BDE9-B06D9C14937F}Global\{EE3082BB-B2DA-15DD-51E8-B06D7015937F}Global\{EE3082BB-B2DA-15DD-81E8-B06DA015937F}Global\{EE3082BB-B2DA-15DD-FDE8-B06DDC15937F}Global\{EE3082BB-B2DA-15DD-0DEF-B06D2C12937F}Global\{EE3082BB-B2DA-15DD-5DEF-B06D7C12937F}Global\{EE3082BB-B2DA-15DD-95EE-B06DB413937F}Global\{EE3082BB-B2DA-15DD-F1EE-B06DD013937F}Global\{EE3082BB-B2DA-15DD-89EB-B06DA816937F}Global\{EE3082BB-B2DA-15DD-F9EF-B06DD812937F}Global\{EE3082BB-B2DA-15DD-E5EF-B06DC412937F}Global\{EE3082BB-B2DA-15DD-0DEE-B06D2C13937F}Global\{EE3082BB-B2DA-15DD-09ED-B06D2810937F}Global\{EE3082BB-B2DA-15DD-51EF-B06D7012937F}Global\{EE3082BB-B2DA-15DD-35EC-B06D1411937F}Global\{EE3082BB-B2DA-15DD-B1EA-B06D9017937F}Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers:1.168.36.175:19755174.89.51.54:28289190.73.229.164:12407194.94.127.98:2554924.120.165.58:2125166.63.204.26:2948272.20.156.250:1715775.87.65.147:1201483.21.8.24:1022085.113.97.137:2339799.103.42.49:2648083.213.40.53190.75.107.9275.61.139.23189.223.135.11881.149.242.23564.231.249.250195.169.125.22899.190.186.102182.8.170.15393.63.139.146190.1.235.5941.70.190.21881.88.151.10990.156.118.144151.45.10.230190.17.161.6268.199.158.9367.52.7.17446.40.121.209212.49.41.106124.122.199.15188.14.124.180186.92.102.126173.185.182.5895.91.233.775.118.250.16693.202.97.42